Hi,According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when a user becomes root.It seems that using sudo doesn't trigger this event.I would like to know how this event is triggered.There are also several ANOM_ types that I can't see generated.Is there a document describing from where these event would come.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"

Post by Maupertuis PhilippeAccording to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered whena user becomes root. It seems that using sudo doesn't trigger this event.I would like to know how this event is triggered.

Looking at the blame view of libaudit.h on github, this was imported as farback as 1.7.4 over 10 years ago. Back then, work was being done aroundprelude IDS and feeding it with events for correlation and escalation. Thatwork was mothballed when prelude upstream became inactive. Prelude supporthas also been removed from audit-3.0 when it gets released.

Post by Maupertuis PhilippeThere are also several ANOM_ types that I can't see generated.Is there a document describing from where these event would come.

The event types in libaudit.h are not 100% supported. Some were supported andare now not in use. (Can't remove them since you really might run across theevent in a heterogenous network.) Many in the ANOM and RESP categories areplaceholders for future use. The description is accurate wrt the intendeduse. At the moment nothing I know of is sending that event. But the roadmapfor audit 3.1 has a mention for a basic IDS capability. That might be whenANOM and RESP categories get better supported. I wouldn't expect sudo or suto send these.